You might refer to it by many names: bring your own danger, bring your own
disaster, bring your own detonator, or what most people call it, bring your own
device (BYOD). What used to be inconceivable—using one’s own personal mobile
device or smartphone for work—is now one of the hottest trends. The idea of using
a personal smartphone at work sprouted when many executives got their first
iPhones back in 2007 and wanted access to corporate resources. Since then, BYOD
has transitioned from a fad to a major transformation of enterprise IT. As a result,
the contract between IT organizations and employees has shifted from one of
corporate provisioned and managed laptops and Blackberries to one where workers
are free to bring the device of their choice (i.e, laptops, smartphones, and tablets).
These personally owned devices are typically used for a mix of both business and
As more smartphones, tablets, and other types of mobile devices make their way
into employees’ hands, requests for corporate access from those devices are
increasing, which represents a huge challenge for IT departments. Not only has IT
lost the ability to fully control and manage these devices, but employees are now
demanding that they be able to conduct company business from multiple personal
devices. Initially resistant to the idea due to security concerns, IT teams are slowly
adopting the concept, but hesitantly, still concerned about the inherent risks of
allowing personal devices to access and store sensitive corporate information.
Mobile devices are a double-edged sword for enterprises. CRN reported on a
Poneman Institute/Websense survey1 finding that 77 percent of responding business
professionals said that the use of mobile devices in the workplace is important to
achieving business objectives, but almost the same percentage—76 percent—believe
that these tools introduce a serious set of risks. While organizations understand
the risks, the survey showed that only 39 percent have security controls in place to
mitigate those risks. As a result, 59 percent of respondents said they’ve seen a jump
in malware infections over the past 12 months due specifically to unsecured mobile
devices, including laptops, smartphones, and tablets. It’s clear that there is a
significant business risk with BYOD, and it’s not going away.
In 2013, the mobile workforce is expected to increase to 1.2 billion2—a figure that
will represent about 35 percent of the worldwide workforce—and many of those
workers will be using their own devices.
People have become very attached to their mobile devices. They customize them,
surf the web, play games, watch movies, shop, and often simply manage life with
these always-connected devices. Those organizations that have implemented BYOD
programs are reporting increased productivity and employee satisfaction at work.
The 2012 Mobile Workforce Report from enterprise WiFi access firm iPass3 found
that many employees are working up to 20 additional hours per week, unpaid, as a
result of their company’s BYOD policies. Nonetheless, 92 percent of mobile workers
said they “enjoy their job flexibility” and are “content” with working longer hours.
In addition, 42 percent would like “even greater flexibility for their working practices.”
Organizations have been able to reduce some of their overall mobile expenses
simply by not having a capital expenditure for mobile devices and avoiding the
monthly service that come with each device. In addition, in some cases, BYOD
implementations can brand the IT organization as innovators.
The flipside of the convenience and flexibility of BYOD are the many concerns about
the risks introduced to the corporate infrastructure when allowing unmanaged and
potentially unsecured personal devices access to sensitive, proprietary information.
Applying security across different devices from a multiple number of vendors and
running different platforms is becoming increasingly difficult. Organizations need
dynamic policy enforcement to govern the way they now lock down data and
applications. As with laptops, if an employee logs in to the corporate data center
from a compromised mobile device harbouring rootkits, keyloggers, or other forms
of malware, then that employee becomes as much of a risk as a hacker with direct
access to the corporate data center.
Mobile IT is a major transformation for IT departments that is deeply affecting every
major industry vertical, and the effects will continue for years to come.
BYOD 1.0 (2009-2012)
BYOD 1.0 is the industry’s first attempt at solving problems related to personally
owned devices in the workplace. BYOD 1.0 consists of two primary components—
mobile device management (MDM) and device-level, layer 3 VPNs. The primary aim
of MDM is to manage and secure the endpoint device itself, including varying
amounts of protection for data at rest on the device (which is typically limited to
enabling native device encryption via configuration). The primary aim of the layer 3
VPN is to connect the device back into the corporate network, providing data-intransit
security for corporate traffic.
Both of these BYOD 1.0 components have a drawback—they are umbrellas that
protect and manage the entire device, rather than zeroing in on just the enterprise
data and applications on that device. Since these are usually dual-purpose (work/
personal) devices, this device-wide approach causes issues for both workers and for IT.
Employees don’t like that BYOD 1.0 imposes enterprise controls over their personal
devices, applications, and information. One of the most commonly cited examples
is that of the employee who leaves a company and has his device wiped by the
organization, losing photos of his family along with the enterprise data and
applications. People are also concerned with the privacy of their personal data
under a BYOD 1.0 scheme.
From an IT perspective, organizations agree—they don’t want to have to concern
themselves with personal data or applications. As soon as they manage the entire
device or simply connect that device to the corporate network via VPN, that
personal traffic also becomes an IT problem.
While BYOD 1.0 helps to enable the use of personally owned devices in the
enterprise, the device-level approach certainly has its drawbacks. BYOD 2.0 seeks
to solve these shortcomings.
The shift from BYOD 1.0 to BYOD 2.0 builds on many of the concepts developed
during BYOD 1.0, adding a new set of frameworks that enable IT organizations to
wrap enterprise applications in a security layer.
BYOD 2.0 (2013- )
Throughout BYOD 1.0, F5 has provided connectivity for mobile devices into
enterprise networks with VPN functionality, most commonly through iOS and
Android versions of the F5® BIG-IP® Edge Client®. This layer provides management
capabilities as well as functionality such as authentication and authorization, dataat-
rest security, and data-in-transit security, among others.
BYOD 2.0 builds on the BYOD 1.0 foundation but makes a substantial shift from a
device-level focus to an application-level focus. BYOD 2.0 seeks to ensure that the
enterprise footprint on a personally owned device is limited to the enterprise data
and applications and nothing more. This means that mobile device management is
supplanted by mobile application management (MAM), and device-level VPNs are
replaced by application-specific VPNs. These application-specific VPNs include
technology such as BIG-IP APM AppTunnels, a single secure, encrypted connection
to a specific service such as Microsoft Exchange.
With this approach, workers are happier than with BYOD 1.0 because the enterprise
manages and sees only the enterprise subset of the overall data and applications on
the device, leaving the management of the device itself, and of personal data and
applications, to the device’s owner. IT staff prefer the BYOD 2.0 approach for the
same reasons—it allows them to concern themselves only with the enterprise data
and applications they need to secure, manage, and control.
BYOD 2.0 and the aforementioned application wrapping frameworks are changing
the dynamic in the mobile space. By combining mobile management functionality
and access functionality into a single offering, these wrappers give enterprises a
mobile IT solution that extends from data and applications on the endpoint into the
cloud and data center.
Different types of environments will require different types of access control
mechanisms. The traditional enterprise data center will still accommodate the
traditional, VPN gateway appliance approach to controlling access. By contrast, a
deployment of applications into an Infrastructure as a Service (IaaS) public cloud,
such as the Amazon Elastic Compute Cloud (Amazon EC2), might require a
virtual edition of a VPN gateway that sits alongside virtual machines hosting the
organization’s applications. A Software as a Service (SaaS) application might not
require a VPN at all, but it will still require the identity and authorization data that
a VPN provides today.
Across an organization with a hybrid deployment of all of these types of back-end
environments, the next-generation access offering must provide end-to-end security,
from the application instance on the endpoint device all the way to the data center
cloud, with a single authentication and seamless personal experience. It must also
provide a single pane of glass view for management of the distributed application
Introducing F5 Mobile App Manager
F5® Mobile App Manager (MAM) is a mobile application management and access
solution that securely extends the enterprise to personal mobile devices. It manages
applications and secures data while satisfying the needs of employees and enterprise
IT departments. For IT, it limits the burden associated with securing and controlling
personal data and mobile use. For employees, it safely separates personal data
and use from corporate oversight. F5 MAM is a complete mobile application
management platform offering security, management, and compliance for BYOD
deployments. It is a true enterprise device, data, and information management
solution that fits the needs of the mobile enterprise better than MDM solutions.
As the proliferation of mobile devices in the enterprise has created new challenges
for IT administrators, they must be able to control devices coming into their network,
track inventory, monitor for threats and vulnerabilities, and protect corporate
information. At the same time, they must simplify the process of provisioning
devices for WiFi, VPN, etc., and support configuring access to email, contacts,
calendars, and other essential communication tools
By Peter Silva
Technical Marketing Manager